Remote Access for Telecommuters
and Mobile Workers
| |
Contents
Introduction
A key benchmark of a company's success is
its ability to improve the productivity of its workforce. In
a digital information economy, employees can be productive
from almost any location as long as they can easily access
the resources they need and communicate with other
employees. With the Windows� 2000 operating system, any
business can provide affordable remote dial-up network
access (to the private LAN), using the integrated Routing
and Remote Access Service. With this technology, Windows-,
Novell-, Apple-, and UNIX-based client systems can reliably
access the corporate network and the critical business files
they need from any location, at any time.
The Windows 2000 Server family provides
numerous technological enhancements over the remote access
solution in Windows NT� 4.0 operating system. These
enhancements can be organized into three categories:
| Better client integration
| | More efficient management tools and
services
| | A better integrated client-server
platform |
Best Client-Server Remote Access
Windows 2000 Server Routing and Remote
Access is a mature, full-featured, third-generation service
of Windows-based server operating systems. It provides a
rich complement of authentication services and protocols
that simplify connectivity for clients running Windows CE,
Windows 95, Windows 98, Windows NT Workstation, and Windows
2000 Professional, as well as Novell-, Apple-, and
UNIX-based clients. However, only client computers running
Windows 2000 Professional give remote workers the full
spectrum of networking and communication services,
technologies, and features.
Windows 2000 Server interoperates
seamlessly with Windows 2000 Professional client hardware,
security technologies, Quality of Service (QoS), remote
dial-up connections, Virtual Private Networking (VPN), and
network applications software services. And Windows 2000
supports single-sign-on authorization and authentication
across these services. Windows 2000 Server and clients work
together using standards-based services for smart card-based
access, and VPN encryption technologies for lower costs and
improved security. Network software services for clients
running Windows 2000 Professional allow remote users to
communicate with their colleagues through e-mail as well as
through multimedia-based collaboration using NetMeeting�
conferencing software and internet messenger applications.
In addition, Windows 2000 Server Remote Access Service can
meet the security and interoperability needs that
organizations demand from a remote access solution.
Windows 2000 Server supports numerous
types of high-performance media as well as more broadly
implemented network topologies (such as simple modem
dial-up). This broad media support is complemented by
various improved technologies, which include:
| A more efficient TCP/IP stack
| | Integrated support for Digital Signal
Processor (DSP) offload services
| | Network-traffic data compression
| | Multi-link aggregation of low bandwidth
connections
| | Clustering and load balancing services
| | Quality of Service (QoS) queuing
protocols, including 808.1p, ATM, RSVP, and DiffServ
| | Integrated Services over Slow links (ISSLOW) |
Enhanced hardware and software services
ensure that Windows 2000-based remote clients can directly
access the corporate network through a Windows 2000 server providing
remote network access (RNA) or a clustered set of Windows
2000 VPN servers (clustering is available in Windows 2000
Advanced Server). The result is a reliable, scalable, and
highly available solution that provides a high performance
remote access network experience.
The management tools and services included
as a part of the Routing and Remote Access feature of
Windows 2000 mark a clear improvement over those available
in Windows NT 4.0. With Windows 2000, there are new tools,
new technologies, and new directory-integrated services that
allow scalable policy-based management of the remote access
infrastructure. IT managers can improve the network
experience of telecommuters and mobile users, improve
network security, and collect information on usage
patterns to better manage the infrastructure throughout
their organizations. These enhancements result in a more
efficient and responsive organization that can proactively
address and capitalize on new market opportunities.
Server Wizards and a New Remote Access
Tool Set
Windows 2000 Server simplifies the setup
of a remote access server through the provision of a
Configure Your Server wizard and detailed, integrated
Help files. This wizard steps an IT manager through setting
up a remote access server and provides access to Help files
for detailed configuration information and tips. For remote
access implementations targeted to small groups of
telecommuters, this wizard helps the administrator configure
the network adapters and authentication and authorization
policies. After the service is configured, the administrator
can create client accounts and specify dial-up access
permissions using the Active DirectoryTM service.
For larger implementations, the administrator can apply a
network-access policy to groups of users using the Internet
Authentication Service, which is accessible through Routing
and Remote Access administrative tools.
Rich Policy-based Management
Because of the business-critical nature of
remote access, many organizations are finding that they need
to supply this service to a majority of their employees.
Managing remote access networks therefore requires managing
many users and many systems; and so to manage their users
and systems efficiently, organizations need to be able
to apply management policies to them.
In Windows 2000, policy-based management
is accomplished with standards-based protocols and
directories. Active Directory supports standards such as
Lightweight Directory Access Protocol (LDAP) and the Remote
Access Dial-Up User Service (RADIUS) to enhance access to
remote systems. These services can significantly simplify
and centralize management tasks for multi-vendor networks.
Using documented open schemas, Application Programming
Interfaces (APIs), LDAP, and RADIUS, Active Directory can
manage authentication of remote-access users across network
access devices such as routers and switches. Windows 2000
includes full-featured RADIUS services in its Internet
Authentication Service (IAS).
Support for RADIUS authentication combined
with an extensible editing tool for RADIUS attributes and
Active Directory integration allows servers running Windows
2000 to better manage large, heterogeneous, remote-access
environments. Windows 2000 integrates IAS with both the
Routing and Remote Access feature and Active Directory. As a
result, network administrators can centrally apply
finely-tuned remote access policy-based management rules,
and implement detailed accounting services across their
entire remote-access network infrastructure.
Parameters that can be applied using IAS
and Active directory include RADIUS-enforced policy
regulation of privileges based on:
| IP address
| | Manufacturer of the Network Access
Server NAS
| | Group of the user
| | Service requested
| | Protocol used
| | Telephone number dialed by user
| | Originating phone number
| | Physical port used
| | Day or time
| | Originating client IP address |
This detailed level of policy management
helps enhance and preserve current investments, while
improving the overall security and management efficiency of
the remote-access infrastructure. The RADIUS-based
accounting services provide better security-monitoring,
capacity-planning, and charge-back services for more
efficient network-cost-center management. In addition,
RADIUS support provides for easier outsourcing and service
level agreement enforcement. By using the Active Directory
service, IT managers can centrally manage the configuration
and policy for direct-dial and VPN services.
Enhanced Dial-up Management Services
Remote-access solutions need to address
both client- and server-management issues. Many end-to-end
solutions currently available fail to adequately address the
networking client. The result is an incomplete solution that
ultimately results in higher management and support costs.
Windows 2000 provides a unique set of integrated management
tools and services to address the wide range of issues
involved with servicing a diverse group of remote access
users.
Windows 2000 integrates phone book
management with a client connection manager configuration
tool called the Connection Manager Administration Kit to
create a flexible and comprehensive remote access solution.
The integrated solutions enable an IT administrator to
create custom dial-up remote access phone books using Phone
Book Administrator tools, and publish these phone books to a
Windows 2000-based Web application service called the
Connection Point Service. These phone books can contain
direct-dial remote access telephone numbers as well as
point-of-presence telephone numbers for one or more service
providers. The point-of-presence telephone numbers can have
a specific security configuration associated with them to
ensure that any connection made over a public network is
appropriately secured. Once the phone books are created and
published, the IT administrator can use a Connection Manager
Administration Kit (CMAK) wizard to create user or group
profiles containing custom graphics, help files, phone
books, remote access licenses, and automated connect
actions.
The automated connect actions enable the
integration of applications services with different phases
of the connection process. The CMAK wizard creates an easily
distributed, self-installing, custom executable file that,
when opened on the client, automatically configures remote
access using the newly established infrastructure and phone
book services. The administrator can also control how these
telephone numbers are presented to the user client in the
dialer. The administrator can use the interface to guide the
user to the least-expensive access numbers, while clearly
identifying more-expensive back-up numbers that should be
used only in emergencies.
This comprehensive set of integrated
client tools and Server services enables network
administrators to empower employees to efficiently use the
direct-dial and VPN remote- access options. In addition,
this solution enables administrators to remotely and
systematically update remote clients when there is any
change to the infrastructure. Using the enhanced set of
remote access dial-up and management services in Windows
2000 reduces management and accounting costs, dial-up fees,
legal risks, and laborious support issues.
Quality Remote Access
As demand increases for network access,
remote-access networks are becoming increasingly congested.
To address this increased demand, Windows 2000 supports
high-bandwidth media, client configuration tools such as
CMAK, and policy-based management services to regulate
access. Windows 2000 also provides an application-server
platform with an integrated set of standards-based,
Quality-of-Service (QoS) technologies to better prioritize
network traffic flows.
Both Windows 2000 Professional and Windows
2000 Server support network QoS technologies�from
media-specific ATM services to more generally applicable
protocols such as:
| The Resource Reservation Protocol
(RSVP), which is used to request QoS from the network
and to indicate QoS capabilities and requirements.
| | The Subnet Bandwidth Manager/Designated
Subnet Bandwidth Manager (SBM/DSBM), which is an
extension of RSVP and is used with shared networks.
| | Differentiated Services, used to
classify packets and apply scheduling and queuing
behavior.
| | 802.1 protocol, used to support QoS in
LANS.
| | Common Open Protocol Services (COPS),
which is used to pass policy information down to network
devices. |
Windows 2000 integrated support for WAN
and LAN protocols provides a true end-to-end QoS solution.
Additional support for QoS technologies, such as Integrated
Services over Slow Links (ISSLOW), provides improved
applications behavior over slower remote-access modem
connections.
Through broad standards support and the
use of Active Directory as a central policy store for
Quality of Service, Windows 2000 aids network administrators
in efficiently managing network use. The access control
features in Windows 2000 simplify applying policy-based flow
control to user accounts stored in Active Directory. Using
these policies, IT administrators can better control network
traffic flow, application behavior, and bandwidth use.
Better management of the ebb and flow of network traffic
provides improved network reliability.
By supporting Internet standards, as well
as Active Directory and Quality of Service standards, and by
working with industry-leading network vendors, Windows
2000-based networking solutions can prioritize diverse
network-application and user traffic across switches and
routers at the core of a corporate network. By taking
advantage of QoS technology and standards-based network
management tools, network administrators can more
effectively regulate bandwidth allocation. The result is
higher quality and more reliable service for
mission-critical applications and users.
Through broad cross-platform client
support and integration with Windows 2000 Professional
networking technologies, Windows 2000 provides an optimal
remote-access solution for telecommuting and mobile users.
Windows 2000 Server can both provide a stand-alone remote
access solution, and serve as a termination point for
completing an outsourced remote access service solution.
With dual support for direct remote access and
Internet-based connectivity, Windows 2000 offers the optimal
technical and economical WAN infrastructure for any
organization.
Windows 2000 lets an organization maintain
sole centralized policy-based management and control over
network authentication while minimizing costs by providing
secure local access anywhere in the service-provider area.
The result is an easy-to-use and affordable solution that
eliminates not only the risks of a single point of failure,
but also the risks associated with dependence on a single
service provider's infrastructure.
|